* asan: buffer overflow in elfnn-aarch64.c get_plt_type
@ 2021-12-17 5:42 Alan Modra
0 siblings, 0 replies; only message in thread
From: Alan Modra @ 2021-12-17 5:42 UTC (permalink / raw)
To: binutils
We can't assume .dynamic is a multiple of ElfNN_External_Dyn, at least
not when presented with fuzzed object files.
* elfnn-aarch64.c (get_plt_type): Don't access past end of
improperly sized .dynamic.
diff --git a/bfd/elfnn-aarch64.c b/bfd/elfnn-aarch64.c
index 4885f417a2a..051aff5c1b0 100644
--- a/bfd/elfnn-aarch64.c
+++ b/bfd/elfnn-aarch64.c
@@ -9762,11 +9762,13 @@ get_plt_type (bfd *abfd)
aarch64_plt_type ret = PLT_NORMAL;
bfd_byte *contents, *extdyn, *extdynend;
asection *sec = bfd_get_section_by_name (abfd, ".dynamic");
- if (!sec || !bfd_malloc_and_get_section (abfd, sec, &contents))
+ if (!sec
+ || sec->size < sizeof (ElfNN_External_Dyn)
+ || !bfd_malloc_and_get_section (abfd, sec, &contents))
return ret;
extdyn = contents;
- extdynend = contents + sec->size;
- for (; extdyn < extdynend; extdyn += sizeof (ElfNN_External_Dyn))
+ extdynend = contents + sec->size - sizeof (ElfNN_External_Dyn);
+ for (; extdyn <= extdynend; extdyn += sizeof (ElfNN_External_Dyn))
{
Elf_Internal_Dyn dyn;
bfd_elfNN_swap_dyn_in (abfd, extdyn, &dyn);
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-12-17 5:42 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-17 5:42 asan: buffer overflow in elfnn-aarch64.c get_plt_type Alan Modra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).